Properly handle use_master in k5_init_creds_get

If we make multiple requests in an initial creds exchange, the
krb5_sendto_kdc call in k5_init_creds_get may flip the use_master
value from 0 to 1 if it detects that the response was from a master
KDC.  Don't turn this into a requirement for future requests during
the same exchange, or we may have trouble following AS referrals.
Reported by Sumit Bose.

ticket: 7650

1 files changed, 4 insertions, 2 deletions

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 20bc68939..ff455d355 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -521,7 +521,7 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
     krb5_data reply;
     krb5_data realm;
     unsigned int flags = 0;
-    int tcp_only = 0;
+    int tcp_only = 0, master = *use_master;
 
     request.length = 0;
     request.data = NULL;
@@ -545,8 +545,9 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
 
         krb5_free_data_contents(context, &reply);
 
+        master = *use_master;
         code = krb5_sendto_kdc(context, &request, &realm,
-                               &reply, use_master, tcp_only);
+                               &reply, &master, tcp_only);
         if (code != 0)
             break;
 
@@ -558,6 +559,7 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
     krb5_free_data_contents(context, &reply);
     krb5_free_data_contents(context, &realm);
 
+    *use_master = master;
     return code;
 }